General

  • Target

    .bat.exe

  • Size

    40KB

  • Sample

    240301-xwylbscb74

  • MD5

    a87188c2c1a6d350f7b01c4cf863a278

  • SHA1

    20fd2314637916ee2b15ce8546e98487083c65c5

  • SHA256

    5c5d9cee9ba4afd8bb85247f02bf0dee53c9043a8be50522f9c2788308da7555

  • SHA512

    75a049188d08c7dbcd46845135546435b4b28e32e8480eedcb5e227b61d10bb714f4c6a08303a247b892b3b864fbb5fdd7e73acba95f60f4537449afc861fbc3

  • SSDEEP

    768:+UNsKVKeh76p4m78H55Iy7KLb17sTVE6xAMlgsMzVPNd6pkdT1v5oYvntPc9v:+xHw6pXeyMKLCprFHOT1v7k

Malware Config

Extracted

Family

gozi

Targets

    • Target

      .bat.exe

    • Size

      40KB

    • MD5

      a87188c2c1a6d350f7b01c4cf863a278

    • SHA1

      20fd2314637916ee2b15ce8546e98487083c65c5

    • SHA256

      5c5d9cee9ba4afd8bb85247f02bf0dee53c9043a8be50522f9c2788308da7555

    • SHA512

      75a049188d08c7dbcd46845135546435b4b28e32e8480eedcb5e227b61d10bb714f4c6a08303a247b892b3b864fbb5fdd7e73acba95f60f4537449afc861fbc3

    • SSDEEP

      768:+UNsKVKeh76p4m78H55Iy7KLb17sTVE6xAMlgsMzVPNd6pkdT1v5oYvntPc9v:+xHw6pXeyMKLCprFHOT1v7k

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks